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SECURITY SPENDING 


IS YOUR SECURITY STRATEGY ON THE MARK? HERE ARE 
THREE RATIOS TO HELP YOU ASSESS ITS EFF 


THE IDEA THAT THE INTERNET COULD FAIL 
never crossed my mind until Oct. 21, 2002. 
As acting CIO of NASA, I was informed that 
a computer at the Ames Research Center in 
California, operating as one of 13 global Internet 
domain name root-name servers—the master 
address controls for the entire Internet—was 
rejecting incoming traffic from California to as 
far west as India. 

A globally coordinated distributed denial 
of service (DDoS) attack was aiming to over- 
whelm the processing capacity of each root- 
name server. We had to start throttling down 
incoming traffic before we ceased to function. 


The incoming flood of messages was traced as 
coming primarily from South Korea, but there was no way 
to track the perpetrators. On the Internet, assaults can be 
executed by proxy machines, triggered from anywhere. At 
that point, I stopped trusting the Internet as a safe informa- 
tion highway. 

In January 2003, my apprehensions were confirmed again 
when the rapidly spreading Slammer worm started clogging the 
Internet. It was propagating worldwide by capturing the oper- 
ating systems on infected computers—running the widely used 
Microsoft SQL Server 2000 as well as the Microsoft Desktop 
Engine 2000 —and turning them into “zombie” generators of 
messages that replicated the worm. This worm was small, only 
376 bytes, but clever in its self-propagating habits. As traffic 
surged, worms took over much of the Internet’s traffic and 
jammed network switches, which then re-routed transmissions 
to less congested paths. In this way, the traffic queues could be 
built up and spread worldwide in a few minutes so that many 
messages could not be delivered. 

And the Slammer isn’t the only attempt to damage Internet 
communications; as of this writing, my library of known 
intruders contains 72,838 viruses, worms and other malware. 

As designed, the Internet does not ensure the integrity of 
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7" the data (e.g., e-mail messages) that traverses 

it. There’s no way to be sure, for example, that 
a service provider between point A and point 
B has not tampered with data. It’s also easy to 
disguise the source of an attack because of the 
Internet’s decentralized architecture. 

The prospect of imposing an all-encom- 
passing security discipline on the global Internet 
is zero. The best an organization can do is carve 
out a securely managed intranet, sufficiently iso- 
lated from the public Internet with every afford- 
able protective measure. Even then, attackers 
will find ways to circumvent the defenses. 

So how, then, do you figure 


The attack volume did not exceed 50 to out a return on your security 
100 megabits per second per root server, yet the impact Many ClOs argue that investments? While many 
was devastating. Failing servers handed over traffic it is difficult to measure CIOs say it is difficult to mea- 
to their peers. The workload on the survivors rose the value of investments sure the value of investments 
sharply and led to “cascading” failures. Nine of the 13 in computer security, in computer security, I believe 
root servers were out of commission in a few minutes. but | believe you can it is possible to gauge whether 
The hidden attacker, after two hours, retreated after determine whether your your organization’s approach 
gathering sufficient intelligence about the weaknesses organization's approach is on target. I recommend 
of our defenses. is on target. looking at three ratios. (See 

This “information warfare” probe was the first “Ts Your Security Strategy 


known simultaneous attack on every root server. _—— es Sound?” on p. 108 for details.) 


The ratios are: 
> Compare information security spending vs. total IT. spending, 
If security spending exceeds 10%, your business architecture 
is probably poorly designed to cope with attackers. 
> Examine the value of lost employee time vs. your invest- 
ment in information security. If the cost of your security 
investment is 200% or more of the value of employee 
downtime, you may be spending too much on security. 

> Measure what impact cyberattacks are having on employee 
productivity. Ifyou are experiencing a loss of 1% or more in 
productivity, review how you are protecting your informa- 
tion. For instance, examine the location of your firewalls 
to determine whether centralization of defensive barriers 
would give you greater protection. 

The goal of total security is not achievable in complex 
systems that have millions of hardware and software vulner- 
ability points. The defenders will have to monitor the fre- 
quency and losses from intrusions to balance the costs of 
protection against potential damages. 4 
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